Cryptography

Security in the Internet of Things (IoT) leaves much to be desired. Some of the recent DDoS attacks such as those through Mirai on DNS provider Dyn or on popular security site KrebsonSecurity have been possible due to weak security measures in things like network connected cameras. There are many reasons why the situation is what it is today, but that will not be the topic of this entry. While we have seen some initiatives, notably the security guidelines (PDF) by NIST and some comments made by Bruce Schneier, I feel that this leaves a lot of people wondering what practical measures to take to secure their devices. Many companies in the IoT are start-ups lacking a proper understanding of what security in the embedded field entails, and might lack (or didn't plan for) the budget to hire dedicated security people. The goal of this blog entry are to (hopefully) lift the veil on some of the methodologies that should be employed to create more secure IoT systems from a very practical point of view.

Just recently I had an article of mine published on embedded.com. In the text, I outline some of the security issues currently present in the Smart Grid, from the meter to the SCADA system. It is a brief overview only, and not too technical or in depth. It serves as a basis for a series of future research articles detailing the security aspects of each component of the Smart Grid. Hopefully the article can be a gentle introduction to the topic, and I hope you enjoy reading it!

A lot of business travelers have at one point or another sensitive information on their laptops. This information could come in the form of a corporate document, an email, or that PowerPoint you decided to finish on that transatlantic flight. It could also be credit card and bank information, social security numbers, or even just a list of customers or contact persons. Loss of this kind of sensitive information seems to happen all the time...

The main reason for writing this entry however is not to point a finger at any of these providers. It's to show you that The Cloud sometimes stops being there - and the potential for problems can be much worse than the outages mentioned above. I'm talking about a certain thing called "The Smart Grid"...

After the recent leaks of password hashes from LinkedIn and others, I thought it would be a good idea to write down some 'best practices' in how to properly deal with user passwords and sensitive data. This entry is by no means complete, nor is it the be all, end all there is to say about the topic. What it does try to do is give a decent starting point to eliminate basic mistakes which could lead to embarrasment later one. If you're developing a new website, or bringing another one up to date or are otherwise working with users and passwords, these tips might be of help. Let's start...

So LinkedIn had some security issues a couple of days ago: 6 million or so password hashes from their users were leaked on a Russian hacker site. There seems to be quite some confusion among people as to what the impact of this really is, with several websites claiming that the actual passwords were leaked, that the passwords can be 'decrypted' etc. Let's put some of these things straight, starting with some of the terminology.

Some of my research is focused on the implementation issues of Elliptic Curve Cryptography on embedded systems. Since I often have to explain what Elliptic Curve Cryptography exactly is, I decided to write this little introduction on the matter. Maybe this will get the attention of some of my students, and can perhaps get them more interested in the mathematical branch of finite fields in Algebra.